Hi,
Below is my search ,
index=aa sourcetype=bb|stats sum(CountOf_True) as True sum(CountOf_false) as false|table True False |eval comp="Test1"
|append [|search index=cc sourcetype=dd|eval comp="Test2"]
|eventstats count as total_count by comp
|stats count(eval(Status=="True")) as True count(eval(Status=="False")) as False count(eval(Status=="Error")) as "Error" count(eval(Status=="Excluded")) as "Excluded" max(total_count) as total by comp
|eval "True %"=round((('True'+'Excluded')/total*100),2)
|eval "False %"=round((('False'+'Error')/total*100),2)
| sort sort_field |fields - sort_field
|table Comp "True %" "False %"
The result which is get is ,
Comp True % False %
Test1 0 0
Test2 93.00 7.00
I have to get the actual % for Test1 too . Iam getting "0 " .Not sure my append is wrong with stats Sum() .
Please can any one give me right way to get the values for the above search .
This line:
index=aa sourcetype=bb|stats sum(CountOf_True) as True sum(CountOf_false) as false|table True False |eval comp="Test1"
will give you True False and comp fields
This line
|stats count(eval(Status=="True")) as True count(eval(Status=="False")) as False count(eval(Status=="Error")) as "Error" count(eval(Status=="Excluded")) as "Excluded" max(total_count) as total by comp
is based on the value of Status - this no longer exists for comp="Test1" which is why you are getting zeroes
This line:
index=aa sourcetype=bb|stats sum(CountOf_True) as True sum(CountOf_false) as false|table True False |eval comp="Test1"
will give you True False and comp fields
This line
|stats count(eval(Status=="True")) as True count(eval(Status=="False")) as False count(eval(Status=="Error")) as "Error" count(eval(Status=="Excluded")) as "Excluded" max(total_count) as total by comp
is based on the value of Status - this no longer exists for comp="Test1" which is why you are getting zeroes
Thank you ITWhisperer
Is there a way to achieve this ? Whether i can create a new field Status and bring the values into that field ?
Please tell me if there a way available to do this too.
Try something like this
index=aa sourcetype=bb|stats sum(CountOf_True) as True sum(CountOf_false) as false|table True False |eval comp="Test1"
|append [|search index=cc sourcetype=dd
|stats count(eval(Status=="True" OR Status=="Excluded")) as True count(eval(Status=="False" OR Status=="Error")) as False
|eval comp="Test2"]
|eval total_count=True+False
|eval "True %"=round(100*True/total_count,2)
|eval "False %"=round(100*False/total_count,2)
|table comp "True %" "False %"
Thank you .This works great !!
Following this , i am in need of a column which should show barchart for (False % and True%) each comp values .
Ex :
Comp True% False% Barchart
Test1 55 45 corresponding % bar chart
Test2 66 34 corresponding % bar chart
This is the requirement from client, Can you help me please .